Shared Service Admin

Brass Contributor

We have a need for a shared global admin account. One of our demands is that all admin accounts in 365 has MFA enabled.

How can you share an Admin account with MFA enabled? Any idears or expirence?

5 Replies
Might I ask the requirement to have a shared Admin?

In our corporate case, we have only dedicated admin accounts per "User Admin" similar to adm_userLogin created on the internal AD Domain and synched to AAD

Each of those accounts are not associated with any Office 365 licenses and the Admin permission are given depending of the technology knowledge (Exchange, SP, …)

 

Those account don't have the MFA enable anyway to not fight with the multiple authentification issues.

Fab

Hi.

 

E.g we have one "master account" to manage our Azure subscriptions. We are several people that need to login on this to manage the subscriptions.

 

Also our Sharepoint guys need to share an account for working with Flow, where they need one account to create flows.

The case is the same here (more than 50'000 employees), so we are splitting the roles as following:

 

  • The Tenant full admin role: 2 persons to share the holidays time
  • The Exchange Admins role: 3 persons
  • The SharePoint Admin role: 4 persons
  • A dedicated support team who has also the tenant admin role and can execute the scripts or change depending of the request and with the Full admin validation

The situation was quite acceptable in the past because the isolation was ok, but with the new Office Group positioning, that is less and less sustainable.

From what I understood the dedicated admin will be removed and the admin permission will be transferred only to the support team.

 

Some other aspect are pushing us in that directly with the GPDR regulations, the US and SG regulations, … 

So we will continue with that separation of account for Admin and support as explained before but the associated role will probably change a little bit.

 

About the developers case, we have that question for Flows & PowerApp but also for PowerBI dev and we defined to create shared service accounts (without MFA) delivered to the "Publisher", the developer will work into dedicated space (site collection or groups/teams)

 

Hope that will help you.

 

Fab

 

You can configure some desk phone (or even VOIP number) as the auth number, and handle the 2FA challenge. Alternatively, you can configure MFA bypass based on "trusted IPs". Using a GA without MFA is a bad practice, however secure you think the password is (even ignoring the fact you are sharing the password between several people).